{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5863", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:32.924Z", "datePublished": "2026-04-08T21:20:41.585Z", "dateUpdated": "2026-04-08T21:20:41.585Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:41.585Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/484527367"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5863", "lastModified": "2026-04-08T22:16:25.817", "metrics": {}, "published": "2026-04-08T22:16:25.817", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/484527367"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:50:35.371289+00:00", "value": {"mitigation_remediation": ["Apply the Chrome update to at least version 147.0.7727.55, which implements the hardened V8 sandbox.", "Verify the installed Chrome version after the update to confirm the fix is in place.", "If an immediate update is not possible, consider disabling JavaScript or using a browser that has patched the issue until an update can be applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All users of Google Chrome versions prior to 147.0.7727.55 are affected. The stated fix is to update to Chrome 147.0.7727.55 or later, which implements the corrected V8 sandboxing logic.", "description_and_impact": "The vulnerability is in the JavaScript engine V8 used by Google Chrome and allows a remote attacker to escape the sandbox and execute arbitrary code by loading a specially crafted HTML page. This high\u2011severity flaw means that a visitor to a malicious site can run code with the privileges of the browser process, potentially compromising the entire system's confidentiality, integrity, and availability.", "risk_and_exploitability": "The flaw can be triggered by loading a malicious web page, so any user who visits such a page is at risk. EPSS data is not available and the vulnerability is not tracked in the CISA KEV catalog, but the CVSS severity is high and the attack vector is remote via the internet. Exploitation requires no local privileges and can be performed by a web attacker who can host or deliver the crafted content."}}}}, "created": "2026-04-09T08:17:39.537788+00:00", "updated": "2026-04-09T08:27:03.074764+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}